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DETAILED ACTION 

1 . The instant application having Application No. 10/668,046 filed on September 22, 2003 
is presented for examination by the examiner. 

Claim Objections 

2. Claim 13 is objected to because of the following informalities: inconsistent terminology. 
The limitation recites a "computing process," which was previously referred to as a "client 
process." 

Appropriate correction is required. 

3. Where applicant acts as his or her own lexicographer to specifically define a term of a 
claim contrary to its ordinary meaning, the written description must clearly redefine the claim 
term and set forth the uncommon definition so as to put one reasonably skilled in the art on 
notice that the applicant intended to so redefine that claim term. Process Control Corp. v. 
HydReclaim Corp., 190 F.3d 1350, 1357, 52 USPQ2d 1029, 1033 (Fed. Cir. 1999). The term 
"consequence" in claim 5 is used by the claim to mean "consecutive data for a sequence", while 
the accepted meaning is "something produced by a cause or necessarily following from a set of 
conditions." (Merriam-Webster) The term is indefinite because the specification does not clearly 
redefine the term. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 
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6. Claims 1-5, 11-15, and 20-22 are rejected under 35 U.S.C. 102(b) as being anticipated by 
"Intrusion detection using sequences of system calls", Hofmeyr, et al. (hereinafter Hofmeyr). 

As per claims 1, Hofmeyr teaches a method and apparatus for verifying integrity of a 
computing process, comprising: determining a trait associated with the computing process (page 
152, system calls serve as the observable characteristic of a program); determining a pattern 
statistic associated with the trait based in part on an execution of the computing process in a 
normal condition (page 153, data is collected of normal behavior in a normal execution 
environment); determining a prototype statistic associated with the trait based in part on another 
execution of the computing process in another condition (page 158, new traces of behavior are 
collected, using the same method as for collecting a pattern of normal behavior); comparing the 
pattern statistic to the prototype statistic (page 155, deviations from normal behavior may 
indicate possible intrusions. Hence, behavior at another instance is compared against normal 
behavior to determine any deviations.); and if the comparison indicates abnormal behavior the 
computing process, performing a predetermined action (page 155, the IDS informs the system 
administrators of anomalous or intrusive behavior). 

As per claim 2 and 13, incorporating the rejections of claims 1 and 1 1 (respectively), 
Hofmeyr additionally teaches the method and apparatus wherein performing the predetermined 
action further comprises performing at least one of sending an alert message (page 155, the IDS 
informs the system administrators of anomalous or intrusive behavior), and disabling the 
computing process . 
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As per claims 3 and 14, incorporating the rejections of claims 1 and 1 1 (respectively), 
Hofmeyr additionally teaches the method and apparatus wherein the trait further comprises at 
least one system level call (page 153, irregularities in the behavior of programs are detected by 
observing system calls). 

As per claim 4, Hofmeyr teaches the method of claim 1 as applied above. Hofmeyr 
additionally teaches the method wherein determining the pattern statistic and the prototype 
statistic further comprises: determining a trend associated with the trait during execution of the 
computing process in the normal condition (page 1 77, normal behavior is defined in terms of 
short sequences of system calls executed by running privileged processes); and determining 
another trend associated with the trait during the other execution of the computing process in the 
other condition (page 158, new traces of behavior are collected, using the same method as for 
collecting a pattern of normal behavior). 

As per claim 5, Hofmeyr teaches the method of claim 1 as applied above. Hofmeyr 
additionally teaches the method wherein comparing the pattern statistic to the prototype statistic 
further comprises comparing a frequency (page 156, models of normal user behavior can be 
generated in terms of frequency distributions) and a consequence (page 153, sequences of system 
calls are used as a discriminator for determining intrusion) associated with the pattern statistic 
to another frequency and another consequence associated with the prototype statistic . 
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As per claim 1 1 , Hofmeyr teaches an apparatus encoded with computer-executable 
components for determining tamper evidence of a client process, comprising: a transceiver 
arranged to receive and forward data (page 154, an intrusion detection system used to determine 
anomalous behavior, can be host-based or network-based. In the latter case, it is inherent that 
there be a transceiver within the system in order to communicate activity from a particular host); 
an interface, coupled to the transceiver, and arranged to perform actions, including: determining 
a trait associated with the client process (page 152, system calls serve as the observable 
characteristic of a program); receiving a first set of data associated with the trait based in part on 
execution of the client process in a normal condition (page 153, data is collected of normal 
behavior in a normal execution environment); receiving a second set of data associated with the 
trait based in part on another execution of the client process in another condition (page 158, new 
traces of behavior are collected, using the same method as for collecting a pattern of normal 
behavior); determining a pattern statistic associated with the first set of data (page 177, normal 
behavior is defined in terms of short sequences of system calls executed by running privileged 
processes; page 156, this data is used to build up profiles/databases of normal behavior); 
determining a prototype statistic associated with the second set of data (page 158, the same 
method used to generate the normal behavior data is used to collect data at another instance); 
comparing the pattern statistic to the prototype statistic (page 155, deviations from normal 
behavior may indicate possible intrusions. Hence, behavior at another instance is compared 
against normal behavior to determine any deviations.); and if the comparison indicates abnormal 
behavior of the client process, performing a predetermined action (page 155, the IDS informs the 
system administrators of anomalous or intrusive behavior). 
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As per claim 12, Hofmeyr teaches the apparatus of claim 1 1 as applied above. Hofmeyr 
additionally teaches the apparatus wherein the computer-executable components reside in at least 
one of a server, and a client (page 154, an intrusion detection system used to determine 
anomalous behavior, can be host-based or network-based. In the latter case, it the system being 
monitored can be considered the "client" which may report to a central machine where all 
processing is performed). 

As per claim 15, Hofmeyr teaches the apparatus of claim 1 1 as applied above. Hofmeyr 
additionally teaches the apparatus wherein determining the pattern statistic and the prototype 
statistic further comprises: determining a trend associated with the trait during execution of the 
client process in the normal condition (page 1 77, normal behavior is defined in terms of short 
sequences of system calls executed by running privileged processes); and determining another 
trend associated with the trait during the other execution of the client process in the other 
condition (page 158, new traces of behavior are collected, using the same method as for 
collecting a pattern of normal behavior). 

As per claim 20, Hofmeyr teaches a system for determining tamper evidence of a 
computing process, comprising: a client that includes the computing process, and is configured 
to communicate trait data associated with an execution of the computing process; and a server, 
coupled to the client, and arranged to perform actions (pase 154, an intrusion detection system 
used to determine anomalous behavior, can be host-based or network-based. In the latter case, it 
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the system being monitored can be considered the "client" which may report to a central 
machine where all processing is performed), including: receiving a first set of data associated 
with the trait based in part on execution of the computing process in a normal condition (page 
153, data is collected of normal behavior in a normal execution environment); receiving a 
second set of data associated with the trait based in part on another execution of the computing 
process in another condition (page 158, new traces of behavior are collected, using the same 
method as for collecting a pattern of normal behavior); determining a pattern statistic associated 
with the first set of data (page 1 77, normal behavior is defined in terms of short sequences of 
system calls executed by running privileged processes; page 156, this data is used to build up 
profiles/databases of normal behavior); determining a prototype statistic associated with the 
second set of data (page 158, the same method used to generate the normal behavior data is used 
to collect data at another instance); comparing the pattern statistic to the prototype statistic 
(page 155, deviations from normal behavior may indicate possible intrusions. Hence, behavior 
at another instance is compared against normal behavior to determine any deviations); and if the 
comparison indicates abnormal behavior of the computing process, performing a predetermined 
action (page 155, the IDS informs the system administrators of anomalous or intrusive 
behavior). 

As per claim 21, Hofmeyr teaches the system of claim 20 as applied above. Hofmeyr 
additionally teaches the system wherein comparing the pattern statistic to the prototype static 
further comprises employing a graphical representation to compare the pattern statistic to the 
prototype statistic (Figures 2 and 3). 
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As per claim 22, Hofmeyr teaches an apparatus for verifying integrity of a computing 
process, comprising: a means for determining a trait associated with the computing process (page 
152, system calls serve as the observable characteristic of a program); a means for determining 
a pattern statistic associated with the trait based in part on execution of the computing process in 
a normal condition (page 153, data is collected of normal behavior in a normal execution 
environment); a means for determining a prototype statistic associated with the trait based in part 
on another execution of the computing process in another condition (page 158, new traces of 
behavior are collected, using the same method as for collecting a pattern of normal behavior); a 
means for comparing the pattern statistic to the prototype statistic (page 155, deviations from 
normal behavior may indicate possible intrusions. Hence, behavior at another instance is 
compared against normal behavior to determine any deviations.), and if the comparison 
indicates abnormal behavior, a means for performing a predetermined action (page 155, the IDS 
informs the system administrators of anomalous or intrusive behavior). 

Allowable Subject Matter 
5. Claims 6-10 and 16-19 are objected to as being dependent upon a rejected base claim, but 
would be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 

Conclusion 

The following prior art made of record and not relied upon is cited to establish the level 
of skill in the applicant's art and those arts considered reasonably pertinent to applicant's 
disclosure. See MPEP 707.05(c). 



Application/Control Number: 10/668,046 Page 9 

Art Unit: 2432 

Detecting Intrusions Using System Calls: Alternative Data Models (Warrender, Forrest, 
& Pearlmutter, 1999) 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to VIRGINIA HO whose telephone number is 571-270-7309. The 
examiner can normally be reached on Mon to Thu; 7:30 AM - 5:00 PM (Eastern). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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